Details of VAR-202003-0534

ID

VAR-202003-0534

CVE

CVE-2019-9103

TITLE

plural Moxa MGate Information leakage vulnerabilities in devices

Trust: 0.8

sources: JVNDB: JVNDB-2019-014862

DESCRIPTION

An issue was discovered on Moxa MGate MB3170 and MB3270 devices before 4.1, MB3280 and MB3480 devices before 3.1, MB3660 devices before 2.3, and MB3180 devices before 2.1. An attacker can access sensitive information (e.g., conduct username disclosure attacks) on the built-in WEB-service without authorization. plural Moxa MGate The device contains a vulnerability related to information leakage.Information may be obtained. Moxa MB3170/MB3270/MB3180/MB3280/MB3480/MB3660 series is an advanced Ethernet gateway device produced by Taiwan Moxa Technology Co., Ltd. Many Moxa products have information disclosure vulnerabilities

Trust: 2.16

sources: NVD: CVE-2019-9103 // JVNDB: JVNDB-2019-014862 // CNVD: CNVD-2020-18364

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-18364

AFFECTED PRODUCTS

vendor:	moxa	model:	mb3180	scope:	lte	version:	2.0	Trust: 1.0
vendor:	moxa	model:	mb3270	scope:	lte	version:	4.0	Trust: 1.0
vendor:	moxa	model:	mb3170	scope:	lte	version:	4.0	Trust: 1.0
vendor:	moxa	model:	mb3280	scope:	lte	version:	3.0	Trust: 1.0
vendor:	moxa	model:	mb3660	scope:	lte	version:	2.2	Trust: 1.0
vendor:	moxa	model:	mb3480	scope:	lte	version:	3.0	Trust: 1.0
vendor:	moxa	model:	mgate mb3170	scope:	eq	version:	4.1	Trust: 0.8
vendor:	moxa	model:	mgate mb3180	scope:	eq	version:	2.1	Trust: 0.8
vendor:	moxa	model:	mgate mb3270	scope:	eq	version:	4.1	Trust: 0.8
vendor:	moxa	model:	mgate mb3280	scope:	eq	version:	3.1	Trust: 0.8
vendor:	moxa	model:	mgate mb3480	scope:	eq	version:	3.1	Trust: 0.8
vendor:	moxa	model:	mgate mb3660	scope:	eq	version:	2.3	Trust: 0.8
vendor:	moxa	model:	mb3180	scope:	lte	version:	<=2.0	Trust: 0.6
vendor:	moxa	model:	mb3280	scope:	lte	version:	<=3.0	Trust: 0.6
vendor:	moxa	model:	mb3480	scope:	lte	version:	<=3.0	Trust: 0.6
vendor:	moxa	model:	mb3660	scope:	lte	version:	<=2.2	Trust: 0.6
vendor:	moxa	model:	mb3170	scope:	lte	version:	<=4.0	Trust: 0.6
vendor:	moxa	model:	mb3270	scope:	lte	version:	<=4.0	Trust: 0.6

sources: CNVD: CNVD-2020-18364 // JVNDB: JVNDB-2019-014862 // NVD: CVE-2019-9103

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-9103
value:	MEDIUM
Trust: 1.0
cve@mitre.org:	CVE-2019-9103
value:	MEDIUM
Trust: 1.0
NVD:	JVNDB-2019-014862
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2020-18364
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202002-1200
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2019-9103
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2019-014862
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2020-18364
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2019-9103
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.1
Trust: 1.0
cve@mitre.org:	CVE-2019-9103
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.0
Trust: 1.0
NVD:	JVNDB-2019-014862
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2020-18364 // JVNDB: JVNDB-2019-014862 // CNNVD: CNNVD-202002-1200 // NVD: CVE-2019-9103 // NVD: CVE-2019-9103

PROBLEMTYPE DATA

problemtype:

CWE-200

Trust: 1.8

sources: JVNDB: JVNDB-2019-014862 // NVD: CVE-2019-9103

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202002-1200

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-202002-1200

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-014862

PATCH

title:	MB3170/MB3180/MB3270/MB3280/MB3480/MB3660 Series Protocol Gateways Vulnerabilities	url:	https://www.moxa.com/en/support/support/security-advisory/mb3710-3180-3270-3280-3480-3660-vulnerabilities	Trust: 0.8
title:	Patch for Multiple Moxa product information disclosure vulnerabilities (CNVD-2020-18364)	url:	https://www.cnvd.org.cn/patchInfo/show/209835	Trust: 0.6
title:	Multiple Moxa Product information disclosure vulnerability repair measures	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=111953	Trust: 0.6

sources: CNVD: CNVD-2020-18364 // JVNDB: JVNDB-2019-014862 // CNNVD: CNNVD-202002-1200

EXTERNAL IDS

db:	NVD	id:	CVE-2019-9103	Trust: 3.0
db:	ICS CERT	id:	ICSA-20-056-01	Trust: 3.0
db:	JVNDB	id:	JVNDB-2019-014862	Trust: 0.8
db:	CNVD	id:	CNVD-2020-18364	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.0720	Trust: 0.6
db:	CNNVD	id:	CNNVD-202002-1200	Trust: 0.6

sources: CNVD: CNVD-2020-18364 // JVNDB: JVNDB-2019-014862 // CNNVD: CNNVD-202002-1200 // NVD: CVE-2019-9103

REFERENCES

url:	https://www.us-cert.gov/ics/advisories/icsa-20-056-01	Trust: 3.6
url:	https://www.moxa.com/en/support/support/security-advisory/mb3710-3180-3270-3280-3480-3660-vulnerabilities	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2019-9103	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-9103	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2020.0720/	Trust: 0.6

sources: CNVD: CNVD-2020-18364 // JVNDB: JVNDB-2019-014862 // CNNVD: CNNVD-202002-1200 // NVD: CVE-2019-9103

CREDITS

Ilya Karpov and Evgeniy Druzhinin from Rostelecom-Solar, and Maxim Kozhevnikov from Positive Technologies

Trust: 0.6

sources: CNNVD: CNNVD-202002-1200

SOURCES

db:	CNVD	id:	CNVD-2020-18364
db:	JVNDB	id:	JVNDB-2019-014862
db:	CNNVD	id:	CNNVD-202002-1200
db:	NVD	id:	CVE-2019-9103

LAST UPDATE DATE

2024-11-23T21:36:03.633000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-18364	date:	2020-03-20T00:00:00
db:	JVNDB	id:	JVNDB-2019-014862	date:	2020-03-24T00:00:00
db:	CNNVD	id:	CNNVD-202002-1200	date:	2020-03-13T00:00:00
db:	NVD	id:	CVE-2019-9103	date:	2024-11-21T04:50:59.243

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-18364	date:	2020-03-20T00:00:00
db:	JVNDB	id:	JVNDB-2019-014862	date:	2020-03-24T00:00:00
db:	CNNVD	id:	CNNVD-202002-1200	date:	2020-02-25T00:00:00
db:	NVD	id:	CVE-2019-9103	date:	2020-03-11T15:15:17.153